LayerZero: KelpDAO Attack Limited to rsETH Configuration, Protocol Unaffected

iconKuCoinFlash
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
LayerZero announced that the April 18 attack on KelpDAO, linked to the Lazarus Group, exploited compromised RPC nodes within KelpDAO’s DVN. The attackers used DDoS to redirect the network to malicious nodes, forging cross-chain transactions. The protocol update confirms the breach was limited to KelpDAO’s rsETH setup, with no impact on other assets. LayerZero is urging single-DVN projects to adopt a multi-DVN architecture and has paused services for 1/1 configurations. On-chain reports indicate the firm is also assisting authorities in tracking the stolen funds.

Odaily Planet Daily reports: LayerZero Labs posted on X that on April 18, KelpDAO suffered an attack resulting in losses of approximately $290 million, with initial assessments pointing to Lazarus Group as the perpetrator. The attack was carried out by poisoning the downstream RPC infrastructure relied upon by KelpDAO’s decentralized verification network (DVN); the attackers compromised certain RPC nodes and coordinated a DDoS attack to force the system to switch to malicious nodes, thereby fabricating cross-chain transactions. The affected RPC nodes have since been taken offline and replaced, and the DVN has resumed operations.

LayerZero emphasized that this incident was limited to KelpDAO’s rsETH application configuration and did not affect any other assets or applications. KelpDAO was unable to detect forged messages due to its reliance on a single DVN architecture without multi-DVN redundancy. The LayerZero protocol itself had no vulnerabilities, and applications configured with multiple DVNs were unaffected. LayerZero will drive all single-DVN configurations to migrate to a multi-DVN architecture, has suspended signature and verification services for 1/1 configurations, and is assisting law enforcement in tracking the stolen funds.

Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.